This is the secret Racoon error message decoder ring.
May it help google help others struggling with racoon's "helpful" error
messages.
unknown notify message, no phase2 handle found
racoon got an error message from the peer but was too dumb to spell it
out. Try running racoon with -d. Usually, the peer was unable to
verify the certificate.
no suitable policy found
you did not set a policy for this IP with setkey.
Check /etc/ipsec.conf and run it through setkey -f again.
no policy found
same as above? Maybe the difference is that you didn't set a policy
at all?
trns_id mismatched: my:12 peer:3
I got this when I tried a racoon key exchange over a NATted
connection. I think it means that the outer IP (the IP of the NAT
gateway) and the inner IP (192.168.*) don't match the same policy rule
in /etc/ipsec.conf.
invalid msg length.
I have no idea what causes this. It didn't appear to have any
negative impact though.
failed to get proposal for responder
I got this when one side was configured for blowfish and the other was
configured for 3des in racoon.conf.
unable to get local issuer certificate
This is an openssl error. I got this when the certificate was
self-signed instead of signed by a CA the peer recognizes.
If it is signed by a CA, openssl was unable to verify. Copy the
CA.crt file to /etc/cert (or wherever you told racoon to look for
certificates) and run
ln -s CA.crt `openssl x509 -noout -hash -in CA.crt`.0
notify message must be encrypted
This happened to me because one side proposed aes and the other 3des.
failed to get subjectAltName
You forgot to set "my_identifier asn1dn;" in the remote section.
failed to get my CERT
The path or filename is wrong in racoon.conf. Use
strace -eopen racoon -F
to see which files racoon tries to open. Here is an excerpt from my
racoon.conf:
path certificate "/etc/cert" ;
certificate_type x509 "knuth.crt" "IPsec Server Key.pem";
This will look for /etc/cert/knuth.crt.
(Thanks to Kurt Jaeger for this one:)
ERROR: ignore information because the message is too short
This can happen if the system time on the client is wrong. For Kurt
it happened because the client was an Android phone and had its clock
reset to 1980, but the cert was from 2011.
[Update 2014-11-22: This can also happen if the system time is correct
but the client certificate is expired, says Vadim]
I recommend using xca for the certificate stuff. Using plain openssl is
very time consuming and in the end not worth your while. The URL is
http://www.hohnstaedt.de/xca.html
See also:
http://www.ipsec-howto.org/x210.html
http://lartc.org/howto/lartc.ipsec.html
And now a little goodie for poor Cisco users (thanks to Andreas Bogk
for this):
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 145.254.62.73 failed its sanity check or is malformed
This is Cisco's catch-all error message.
If you increase the log level, you will get more detail, but it will
be in the debug buffer, not in the syslog messages.
The most probably reason for this error message is that the
certificate is expired.
The magic incancation is:
conf term
logging buffered 8192 debugging
^Z
debug crypto isakmp error
then try isakmp and look in the log with
show log
invalid PEM boundary
You foolishly assumed that, since the public key is also part of the
private key, it would be sufficient to just give IOS the private
key. IOS actually wants something like "BEGIN PUBLIC KEY"... "END
PUBLIC KEY"... "BEGIN RSA PRIVATE KEY"... "END RSA PRIVATE KEY" as
sequence. Also, IOS will only accept keys with a PEM passphrase.
It will ask for the passphrase on import and then save the key
without passphrase internally.
If you find that you cannot import PEM keys, your IOS may not have PEM
support. As ridiculous as this sounds, IOS 12.3(8)T has PEM support,
but IOS 12.3(9)T does not. Another IOS command you should know is
"term mon", Andreas finally adds. It makes debug output show up on
your terminal (if it's not the console anyway).
And now, finally, something for the Windows people. If your racoon
says:
INFO: begin Identity Protection mode.
INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
ERROR: ignore information because ISAKMP-SA has not been established yet.
then Windows probably could not find a computer certificate. If you
foolishly thought double clicking on the .p12 file would put make
certificate known to Windows, think again. You need to do this:
Start -> Run -> MMC
File -> Add/Remove Snap-In
Choose the Certificate Snap-in
Add -> Service Account -> Local computer -> IPSEC Services -> Close, OK
Right click on one of the certificate stores in the tree view on the
left
Import -> Next -> choose your key file and let Windows choose
To debug IKE on Windows, start regedit, move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
and create a new key, "Oakley". Then, inside Oakley, create a new
DWORD, "EnableLogging". Set this to 1. Windows will then log Oakley
debug messages to \WINNT\Debug\Oakley.log. Now that's what I call
obvious!